使用MSI连接到Azure Vault [英] Connection to Azure Vault using MSI
问题描述
我正在尝试使用MSI从控制台应用程序连接到我的Azure保管库
为此保险库,我已将我的用户添加为选定原则"
我用来连接的代码是
var azureServiceTokenProvider = new AzureServiceTokenProvider();var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));var secret = await keyVaultClient.GetSecretAsync("https://< vaultname> .vault.azure.net/secrets/< SecretName>").ConfigureAwait(false); 我收到以下异常
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException:参数:Connectionstring:[未指定连接字符串],资源:
解决方案
- 在虚拟机下的 Configuration 刀片中启用托管服务身份.
- 搜索 NameOfYourVM 服务主体,并将其添加到访问策略"(em)下的Key Vault中.添加密钥/秘密/证书权限.
- 在您的Azure VM上,运行控制台应用程序.
class程序{//在.csproj中将C#7.1+定位为异步Main静态异步任务Main(){var azureServiceTokenProvider =新的AzureServiceTokenProvider();var keyVaultClient =新的KeyVaultClient(新的KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));var secret =等待keyVaultClient.GetSecretAsync("https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME");Console.WriteLine(secret.Value);Console.ReadLine();}}
要在本地运行,请创建自己的Azure AD应用程序注册(Web App/Web API类型以使其成为机密客户端),将其添加到Key Vault中,并在获取访问令牌时使用其client_id和client_secret-;
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application#gettoken正如评论中提到的 Varun 一样,现在有一种更好的方法可以在本地运行时获取访问令牌,而无需在本地运行公开服务主体—
I am trying to connect to my azure vault from a console application with using MSI
For this vault i have added my user as the Selected Principle
the code i am using to connect isvar azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync("https://<vaultname>.vault.azure.net/secrets/<SecretName>").ConfigureAwait(false);I get the following exception
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority
解决方案
- Enable Managed Service Identity in the Configuration blade under your virtual machine.
- Search for NameOfYourVM service principal and add it to your Key Vault under Access Policies. Add key/secret/certificate permissions.
- On your Azure VM, run the console app.
class Program { // Target C# 7.1+ in your .csproj for async Main static async Task Main() { var azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback( azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync( "https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME"); Console.WriteLine(secret.Value); Console.ReadLine(); } }
To run locally, create your very own Azure AD application registration (Web App/Web API type to make it a confidential client), add it to Key Vault and use its client_id and client_secret when acquiring the access token —
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application#gettokenAs Varun mentioned in the comments, there's now a better way to get an access token when running locally without exposing a service principal —
这篇关于使用MSI连接到Azure Vault的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
